The Implementation of Information Technology Governance ...

Simposium Nasional Akuntansi XX, Jember, 2017 1

The Implementation of Information Technology

Governance Audit in the Ministry of Finance of

Indonesia Jenis Sesi Paper: Full paper

Nur Imroatun Sholihat Inspektorat Jenderal Kementerian Keuangan

[email protected]

Abstrak: Dewasa ini, organisasi termasuk organisasi sektor publik mulai menyadari peran

penting teknologi informasi (TI) bagi kelangsungan proses bisnis mereka. Sebagai contoh,

dalam 3 tahun terakhir, Kementerian Keuangan (Kemenkeu) telah menghabiskan Rp.1.244

miliar (USD93,57 juta) untuk investasi TI. Manfaat yang diterima dari investasi TI

dipengaruhi oleh tata kelolanya (Weill, 2004). Untuk menjamin bahwa TI telah

menggunakan tata kelola yang baik, audit tata kelola TI dilaksanakan. Sampai saat ini,

Kemenkeu adalah satu-satunya organisasi pengawasan internal di Indonesia yang telah

menjalankan audit tata kelola TI. Audit tata kelola TI di Kemenkeu juga telah menerapkan

framework yang diterima oleh umum, COBIT 4.1. Dengan alasan-alasan tersebut, Kemenkeu

dapat menjadi patokan bagi organisasi pengawasan internal lain mengenai area audit

tersebut. Penelitian ini dapat berkontribusi sebab meskipun audit tata kelola TI penting

dilaksanakan, sepanjang pengetahuan penulis, penelitian tentang pelaksanaannya di

organisasi pengawasan internal di Indonesia belum tersedia. Penelitian ini bertujuan untuk

mengetahui penerapan audit tata kelola TI di Kemenkeu dan membandingkannya dengan

alat ukurnya yakni IT Assurance Guide: Using COBIT. Untuk mencapai tujuan penelitian,

penelitian ini akan dilakukan dengan metode kualitatif. Hasil penelitian menunjukkan bahwa

pelaksanaan audit tata kelola TI di Kementerian Keuangan telah menerapkan COBIT 4.1

dan IT Assurance Guide: Using COBIT. Meskipun dalam tahap awal pelaksanaan, audit tata

kelola TI telah dilaksanakan dengan baik. Proses perencanaan dan pelaksanaan audit telah

hampir seluruhnya sesuai dengan IT Assurance Guide: Using COBIT sementara proses audit

scoping, dengan alasan tertentu, masih belum dilaksanakan.

Kata Kunci: COBIT 4.1, Audit Tata Kelola TI, Kementerian Keuangan

1. Introduction

Nowadays, no longer can we imagine organization runs without information technology (IT). The

utilization of IT is not a choice anymore but an obligation to make the business process functionates

more efficiently, effectively, and competently. Many organizations make huge investments in IT to

secure or maintain competitive advantages (Applegate et al., 2003). IT is not just critical to the private

sector, but has also become integral to the public sector in delivering efficient and cost-effective


services to the public (Omari et al., 2013). Government organizations have become increasingly

dependent on computerized information systems to carry out their operations and to process, maintain,

and report essential information.

The evidence of this phenomenon is the utilization of IT by the government to give the

information and public services to the people, that widely known as e-government. To promote the

wide-scale utilization of IT, Indonesia’s government established the regulations required and indeed

the newly “Palapa Ring” mega-project. Palapa Ring, which involves a huge undersea fiber-optic cable

network that will offer faster broadband to the entire archipelago, signifies the government’s

commitment for ease and adequacy of IT access around the country.

The positive impacts of IT come hand-in-hand with the negative ones. Information systems

encounter serious security threats that may arise from the weakness of the internal controls and/or the

nature of the competitive environment as the need and dependency on information increases (Al-

Hayale and Khadra, 2006). Indonesia news site Tempo reported that network attack in Indonesia by

the hacker counted until August 2015, had cost the country reached Rp33,29 billion. Security issue

has made organizations include the government ones started to pay attention to IT governance. For

example, by 2018 Indonesia State Owned Enterprise (BUMN) has to achieve maturity level 3

(defined) out of 5 which means IT governance processes are documented and communicated (PER-

02/MBU/2013).

Furthermore, organizations presently spend a huge fund on IT investment. In Van Grembergen,

De Haes, and Guldentops (2004) terminology, proper IT governance is needed to ensure that the

investments in IT will generate the required business value and that risks associated with IT are

mitigated. To assess the IT governance level of an organization, IT assurance and/or audit process is

being performed. Many companies around the world are aware of the benefits of IT auditing,

including IT governance audit, which results in efficiency and profitability (Nkwe, 2011). To examine

the adequacy of controls in information systems and related operation, thereby organizations (usually)

equip themselves with the IT audit function.

Indonesia’s government through Ministry of Communication and Informatics especially has been

paying attention to IT governance. Every year the Ministry grants government institutions with the


best information technology governance an award called e-Government Award. In 2013, Indonesian

e-Government Award Winner went to Ministry of Finance (MoF) since MoF successfully arranged

infrastructure and human resources in information technology in order to support the communication

between governments, government and enterprises, and government and public (kemenkeu.go.id).

Hence, Ministry of Finance could be the acceptable example of IT governance practice in public

sector.

Year 2015 2016 2017

The planned fund 971.817.504 208.691.113 64.090.047

Total IT investment fund 1.244.598.664

Table 1. IT investment fund in The Ministry of Finance (in thousand rupiah)

Calculated based on the data taken from rkakldipa.anggaran.depkeu.go.id

Ministry of Finance (MoF), the country’s general treasurer, uses IT to perform its duty better. The

applications developed within MoF for example SPAN (State Treasury and Budget System), CEISA

(Custom Excise Information System Administration), e-SPT (Tax Annual Letter of Notification), and

SIMAK BMN (State Property Management and Accounting Information System) proved IT helps

MoF’s daily business process. This significant dependency on IT makes the relevance of IT audit

growing bigger in the MoF. Moreover, the amount of IT investment fund in the MoF is also

tremendous. In the last 3 years, MoF has spent Rp1.244 billion (USD 93,57 million) for IT investment

itself. Inevitably, IT governance and IT audit practice needs to be applied. In the MoF, IT Audit Unit

of Inspectorate General plays the IT audit role.

Inspectorate General of Ministry of Finance becomes one of Government Internal Supervisory

Apparatus (APIP) that achieves level 3, securing the first rank, based on Internal Audit Capability

Model (IACM) assessment by Finance and Development Supervisory Agency (BPKP)

(kemenkeu.go.id). Besides, Inspectorate General of MoF is the first and the only government’s

internal audit institution to carry out the IT Audit Unit to date. With the importance of IT that is only

growing bigger and the IT investment fund which is getting huge by time, every organization needs IT

audit function, specifically IT governance audit, runs within it. For those aforementioned reasons,


Inspectorate General of the MoF could serve as the role model of IT governance audit

implementation.

Moreover, IT audit unit in the Inspectorate General of the Ministry of Finance has adopted

COBIT 4.1 framework. The aforesaid framework is widely accepted by the profession and allows

management to benchmark the governance and control practices of the IT environment. As to date,

COBIT is regarded as the best practice of IT governance practice. Study about IT audit unit in the

Inspectorate General of MoF becomes important for it could serve as the benchmark for another

internal audit institutions, or even larger, to build IT audit unit within them. Lastly, to the best of

author’s knowledge, the research about IT governance audit practice in Indonesia’s public sector have

not been found yet. Hence, the author senses the urgency to conduct this research.

This research seeks to understand the implementation of IT governance audit in the MoF compared

to COBIT 4.1 Framework. The IT governance audit studied in this research is limited to the audit

using control objectives approach. This research is motivated by the question “How is the

implementation of IT governance audit in the Ministry of Finance compared to COBIT 4.1

Framework?”. This research attempts to address the question; that is to say, this research aims to

describe the implementation of IT governance audit in the Ministry of Finance and also address the

gap that exists between theoretical framework with the implementation of IT governance audit in the

Ministry of Finance.

2. Theoretical Framework

2.1. IT Governance

In the today’s complex business environment, Weill and Ross (2004) identified six key assets

namely, human, financial, physical, intellectual property, IT, and relationships that must be governed

to create value. Hence, while IT is one such key resource that needs to be governed for organizational

value creation as shown in the diagram on the next page.


Figure 1. The Assets firms govern to create value

Source: Weill and Ross (2004)

Information Technology Governance Institute (ITGI) (2007) defined IT governance as “the

responsibility of the board of directors and executive management”. Weill and Ross (2004) define IT

governance as specifying the decision rights and accountability framework to encourage desirable

behavior in using IT. Information System Audit and Control Association (ISACA) (2009) stated that

IT Governance is basically concerned with the way IT delivers value and it’s the management of the

risks associated with it which can be brought about through the strategic alignment of business and IT,

resource management, and performance management. Moreover, IT governance was acknowledged as

significant, as evidenced by the statement, “An effective IT governance structure is the single most

important predictor of getting value from IT.” (isaca.org). Guldentops (2003) mentioned that IT

governance is important to enterprise because of these issues:

1. Trust—With investors willing to pay significantly more for shares of well-governed enterprises

2. Value—When considering the majority of enterprise market value is in intangible assets

3. Survival—When trust can vanish overnight when based on intangibles and governance practices

4. Assurance—With its increasing requirements for risk transparency and increasing focus on

internal controls


Figure 2. IT governance drivers

Source: Guldentops, 2003

IT governance is directly related to IT investment. In the linkage between the two, Sethibe, et

al. (2007) stated that IT governance is the structure of relationships, processes, and mechanisms used

to develop, direct, and control IT strategy and resources as the best achieve the goals and objectives of

an enterprise. As Weill (2004) stated, IT governance matters because it influences the benefits

received from IT investments. Weill (2004) further claimed that through a combination of practices

(such as redesigned business processes and well designed governance mechanisms) and appropriately

matched IT investments, top performing enterprises generate superior returns on their IT investments

(up to 40% greater return than their competitors for the same investment). This statement is supported

by Crawford (2006) that stated “IT governance is needed to ensure that the investments in IT will

generate the required business value and risks associated with IT are mitigated”.

Amali, et al. (2015) reported that the use of IT in public organization has evolved into every

aspect as part of their efforts in improving their services. According to Juiz, et al. (2014), a good

governance principles as a public asset should be included and implemented on IT governance

practices. It is agreed by Bermejo, et al. (2014) who claimed that IT governance is a major resource

to the aggregate value of the public service offered to the community.

2.2. COBIT 4.1 Framework

ISACA (www.isaca.org) and ITGI (www.itgi.org) defines COBIT (Control Objectives for

Information and related Technology) as a comprehensive set of resources that contains all the

information organizations need to adopt IT governance and control framework. Spremic, et al. (2012)

argued that, COBIT is the widely accepted IT governance and IS auditing framework and represents

http://www.itgi.org/


an ‘umbrella’ framework for implementing IT governance policies and procedures and for conducting

IT auditing. It is a broad and comprehensive de-facto standard which comprises all activities,

processes, and services which can help companies manage the level of operational (IS/IT related)

risks.

COBIT is widely accepted IT governance framework organized by key IT control objectives,

which are broken into detailed IT controls (Spremic, et al., 2012). COBIT 4.1 framework stated that

version 4.1 of COBIT divides IT into four domains (Plan and Organize, Acquire and Implement,

Deliver and Support, and Monitor and Evaluate), which are broken into 34 key IT processes, and then

further divided into more than 300 detailed IT control objectives. Gheorghe (2010) proposed that by

considering the 34 key IT processes, owner can ensure that an appropriate control system is achieved

in IT environment.

2.3. IT Assurance Guide: Using COBIT

Africa (2009) stated that auditing IT governance deals with the audit approach and procedures in

reviewing IT governance processes within a business firm. It aims to show the critical areas of IT

governance as well as their effects on the quality of IT service delivery to satisfy business objectives.

To assure that COBIT 4.1-based IT governance is well-implemented, COBIT provides IT Assurance

Guide: Using COBIT as the step by step guide for IT auditors. IT governance audit is conducted to

ensure that IT helps the organizations achieve their goals and get the suitable value from IT

investments. The relationship between IT governance and organizational performance is showed in

the diagram below.

Figure 3. IT governance vs organizational performance

Source: VanGrembergen and DeHaes(2010)

Based on IT Assurance Guide: using COBIT by ITGI (2007), IT Assurance Guide is designed to

enable efficient and effective development of IT assurance initiatives, providing guidance on

planning, scoping, and executing assurance reviews using a road map based on well-accepted


assurance approaches. The overall stages and steps for providing IT assurance is shown in the

diagram below.

Figure 4. IT Assurance Road Map

Source: ITGI (2007)

3. Research Method

This study shall serve as an exploratory study as research in this area is in early stages and there

has been little research material developed in Indonesia. The case study is conducted by exploring

into the implementation of IT governance audit in the Ministry of Finance of Indonesia. In an attempt

to obtain a thorough description of the matter, this research is conducted with the qualitative method.

This research incorporates the result of an interview with members the organization’s IT Audit Unit of

the Inspectorate General of MoF. To get the better overall understanding about the subject, the related

documents are also being studied. Focus group discussion is carried out to discuss the possible

improvement to achieve the better IT governance audit practice held by Inspectorate General of the

MoF.

This research will attempt to translate interview and focus group discussion results into qualitative

description of the organization’s implementation of IT governance audit. The analysis is concluded to

the three stages of IT governance audit process: planning, scoping, and executing. The result of

interview, FGD, and documents analysis will then be addressed in this writing in order to provide the


understanding about the topic. To ensure the credibility of the data collected, respondent validated the

interview transcript and focus group discussion minutes by signing them.

4. Results

4.1. IT Audit Unit of Inspectorate General of MoF

IT Audit Unit of Ministry of Finance is established by Regulation of Minister of Finance

No.234/PMK.01/2015 about Organization and Job Structure in the Ministry of Finance. In the

regulation, it is stated that one of the mandated functions of Inspectorate General c.q. Inspectorate VII

is “...the other audit activities toward IT management in the Ministry of Finance” (section 1659). The

Regulation describe that IT Audit Unit itself has the duty to “carry out the research and development,

formulate the supervisory policy, and carry out the supervisory action towards IT management in

Ministry of Finance and as internal audit unit, and develop the audit report.”. The unit’s vision is “To

be the best IT Audit Unit which is professional and having integrity to support the accomplishment of

public trust of finance management by Ministry of Finance”. (IT Audit General Strategy, 2013: 2).

The unit is led by Head of IT Audit Unit. The operating model chosen for IT Audit Unit is the

centralized operating model (IT audit function run as an independent function instead of being

integrated to the other kind of audit functions).

Even though the centralized operating model was chosen for IT audit unit, there are 2 kinds of IT

audit strategy used. The first one is integrated IT audit where the risk emerges from certain business

process and IT control is believed to be able to mitigate the risk. The other IT audit strategy is

thematic IT audit. This strategy is used when the needed audit is all about IT and is separable from the

operational aspect. Thematic IT audit is held based on specific IT risk, policymakers’ expectation,

current issue, and mandated regulation.

IT Audit Unit consists of 1 auditor madya (middle-level auditor) as the group coordinator, 2

auditor pertama (entry-level auditor), and 7 auditor pelaksana (junior auditor). Auditor madya takes

the role as pengendali teknis (technical supervisor) and the audit quality is supervised by pengendali

mutu (quality supervisor). In Inspectorate General, each unit does not have their own designated

quality supervisor. Usually, in an inspectorate there is 1 or 2 quality supervisor(s) for all the audit


groups or units under the inspectorate. After approved by the quality supervisor, the inspector gives

the final authorization. Afterward all those procedures completed, the audit report is issued. Every

auditor level is obtained through certification training and examination by Pusdiklat Pengawasan

BPKP (Education and Training Centre, Finance and Development Supervisory Agency). The auditor

leveling is explained below:

Figure 5. Audit report authorization flow

Source: Inspectorate General of MoF

To perform IT governance audit efficiently and effectively, IT Audit Unit is supported with

these regulations:

1. Regulation of Inspectorate General No. PER-9/IJ/2014 about IT Governance Audit with Control

Objective Approach Guidelines

2. Regulation of Inspectorate General No. PER-10/IJ/2014 about Computer Assisted Audit

Techniques (CAATs).

3. IT Audit General Strategy (2013)

4. IT Audit Standard (2013)

5. IT Audit Annual Planning and Reporting Guidelines (2013)

6. IT Governance Audit Practice Guidelines (2013)

7. IT Governance Audit Implementation Guidelines (2013)

Based on the interview with the head of IT Audit Unit, Mr. Widodo Lestarianto, the unit is

established because of the massive utilization of IT to help MoF finishes the duty. The impact of IT

governance audit has not been measured yet since it has not been 3 years since IT governance audit

officially existed in MoF. However, IT auditors are invited to the board meeting of Komite Pengarah

Teknologi Informasi dan Komunikasi (MoF’s Steering Committee of Information and

Communication Technology) and are asked about the improvement suggestion about IT management

in the MoF. Even though it has not been measured, the most visible impact of IT governance audit


was the increasing awareness of the auditees (in this case, every institution in the MoF) about IT

governance in managing their IT unit/division.

Human resources played important role in the unit establishment. In the first stage of IT Audit

Unit, 10 personnel who are interested to be IT auditors, without considering their IT skill and

knowledge, are recruited. “If they want to be IT auditor, it easy to make them capable by give them

trainings”, said the head of IT Audit Unit. It happened due to lack of human resources who were

capable to be IT auditor in the early stage of IT Audit Unit establishment.

The consultant of IT Audit Unit establishment gave the recommendation to the organization

(Inspectorate General of MoF) about 3 years of continuous training for IT auditors to be able to obtain

the needed competencies. Right now, there are 14 personnel of IT Audit Unit, consists of 10 IT

auditors and 4 IT auditors interns. They are given the needed trainings to enhance their skill and

competency. Based on self assessment held in 2016, 11% of IT auditors have the full understanding

about IT governance meanwhile 89% partially understand about it. It means, 89% auditors understand

about IT governance but don’t cover all domains of it. There are 4 of them hold COBIT5F (COBIT 5

Foundation) certification. By this certification, the holder is considered fully understand about the

framework. Generally, IT auditors have adequate understanding about audit planning (83%),

executing (89%), and reporting (79%) but lack in auditee’s business process understanding. The

reason behind this state is because as mentioned before, IT audit is in its early stage. Business process

is something that will be learned by the IT auditors through time and experience.

Table 2. Number of relevant certification owned by the IT Auditors

Source: interview

Name of certification Number of holder(s)

Certified Information System Auditor (CISA) 7

Certified in Risk and Information System Control (CRISC) 1

Certified Information Security Manager (CISM) 1

Certified Ethical Hacker (CEH) 1

Certified Governance of Enterprise IT (CGEIT) 2

Cisco Certified Network Associate (CCNA) 1

COBIT5F 4


Meanwhile, for the infrastructure, IT Audit Unit is equipped with adequate required

supporting infrastructure. The current time, the software managed by IT audit unit are: vulnerability

assessment/penetration test software, virtualization software, and database management interface

software. The newest audit supporting infrastructure added to the list is audit laboratory. This

laboratory provides experience to the auditors before performing the real audit.

In managing their audit working papers and audit report, Inspectorate General uses Teammate

application. Its official site stated that teammate is a comprehensive audit management software

system designed to help the auditor and audit department leadership manage all aspects of the audit

process (teammatesolutions.com). There are the desktop-based and web-based version of Teammate.

The application is used because of these reasons:

1. Team-based working papers

Teammate provides team-based integrated electronic working paper (TeamEWP) which

allows for individual sign-off of each procedure within multiple step program. This also allows

team member to work on different steps within the same program and each electronically sign-off

their own steps.

2. An effort towards paperless audit reporting

Instead of the traditional working papers, Teammate provides electronic working papers

(EWP). Teammate has functional access levels feature within TeamEWP which is provided for

distinct levels authorization based upon auditor’s role on the given project. By using this feature,

the audit report will be reviewed and authorized through the application. The audit report will be

printed only when it has been reviewed and authorized by audit team leader, technical supervisor,

quality supervisor, and inspector.

3. Punctuality of audit report

Information becomes meaningful when it is existed timely. In Teammate, audit report should

be reported before the assigned due date. It allows the auditee perform follow up process as soon

as possible since the audit report is finished within certain time after audit is performed.


4. Accessible in every second and every place

Teammate’s web-based application is supported by powerful database architecture that

allows the auditors quickly find the real time information about their audit report every time and

everywhere.

4.2. The Comparison between IT Assurance Guide: Using COBIT with IT Governance Audit in the

MoF

IT governance audit performed by IT Audit Unit of MoF uses 2 kind of approaches: control

objectives approach and attribute approach. The final product of aforesaid audit is maturity score (is

also referred as maturity level) of the auditee. All of institutions under MoF had been audited except

the one currently undergoing re-organization, Directorate General of Treasury. From 34 key control

objectives, some of them are not audited for example PO5 (Manage the IT investment) because for

public sector organization such as MoF, IT investment is arranged by its central IT unit (Pusat

Informasi dan Teknologi Keuangan/MoF’s Information and Technology Central Unit). It implies that

each institution does not perform the IT investment management for themselves. The other excluded

domains are DS6.3 and DS6.4 (Cost Modelling and Charging) due to MoF attribute as public service

organization. Cost modelling and charging is irrelevant because MoF serves the people without

considering profit-taking.

The first phase of IT governance audit is audit planning. IT governance audit is planned annually.

IT Audit Unit’s audit planning stated on its Annual Audit Program which is defined through annual

audit planning meeting. IT audit universe is already defined because it stated by Peraturan Menteri

Keuangan Nomor 234/2015 (Regulation of Minister of Finance No. 234/2015) that Inspectorate

General including IT Audit Unit has to oversee all the institution in the MoF. There are 11 institutions

under MoF which become IT audit universe of IT governance audit. They selected IT control

framework in their annual audit planning. Decree of Inspector General Per-09/IJ/2014 stated that

COBIT 4.1 Framework is officially applied as their control framework. Audit planning process does

not include planning of risk-based audit since IT governance audit is in its early stage so without

exception all domains become the audit area. There is no high-level assessment and scoping due to the

need to assess all areas of IT governance. It is consistent with Mr. Widodo Lestarianto’s argument


that in its early stage, the main purpose of IT governance audit is to know the overall state and score

of IT governance.

Different from information security having some framework to be used like NIST, SANS Institute,

ISC2, etc; COBIT is the only all-in framework of IT governance audit. Around the time IT Audit Unit

is established, although COBIT 5 had been introduced by ISACA but there was no organization

implemented it already. For that reason, MoF picked the latest one before COBIT 5 published,

COBIT 4.1, as their framework. Consultant also recommended COBIT 4.1 for it has been successfully

implemented in many organizations around the world. However, to keep up the pace with IT

development time by time, IT Audit Unit is going to apply COBIT 5 start from next year (2018). Mr.

Widodo Lestarianto said, “COBIT 5 is going to be implemented next year as a part of our

commitment to improve the quality of our IT governance audit. We have prepared that as 4 of our

auditors are COBIT5F certification holders. We will encourage more auditors to take that

certification”

Audit scoping, which is the second stage of IT governance audit, has not been performed in the

MoF yet. The same reason applied behind this decision. IT Audit Unit needs to assess all areas of IT

governance thoroughly and equally to know the starting line of every institution’s IT governance

state. In the future, they will perform this stage after knowing the baseline and the current score of

every institution’s IT governance. By performing audit without certain scope, the auditors will get the

big picture of IT governance state of each institution but will not get the deep understanding about it.

To execute the audit process, they have to start it with an entry meeting with the head of institution

(tentative), head and staff of IT division/unit. The auditors refine the understanding of the IT

governance audit subject by this meeting. The auditor will ask the auditee to provide the needed

documents such as organization structure, job description, etc. As stated before, IT audit scoping has

not been performed. The most visible impact from the missing scoping process is they will get the

overall view but not the in-depth one. To know the overall view of IT governance, the auditors will

perform the interview and analysis processes.

IT governance audit techniques used by IT Audit Unit are:


1. Interview

The auditor will conduct the needed interview with the related parties such as IT division manager

and staff

2. Analysis

Document, policy, standard, IT management practice (test of design) is analyzed to get the better

understanding about auditee’s IT governance state.

3. Enquiry and Confirmation

After interview and analysis stages, the auditor will confirm the audit result to the related parties.

Audit is not performed by walkthrough, observation, and sampling method to perform the test of

effectiveness of procedure and policy compliance. The Head of IT Audit Unit confirmed this by

saying, “We don’t aim to do a detailed audit for the time being. Our current audit objective is to the

whole understanding about IT governance state of each institution. After we got the general

understanding, for the upcoming audit, we are going to use walkthrough, observation, and sampling.”

The conclusion and recommendation are developed and communicated through an audit report. But,

before the audit report published, IT auditors will release audit result minutes. After auditee agreed

and approved the audit result minutes, audit report will be published. The auditor will once again meet

the related personnel to IT governance (mainly the head of IT unit) to deliver the audit report.

Because currently MoF has no mandatory rule about IT governance, IT auditors could not

deliver strong recommendation. Instead, they will deliver soft recommendation to the auditee with the

reminder that the re-audit process will be performed in the near future with the strong

recommendation as the product. As for now, the main purpose of IT governance audit is to raise the

auditee’s awareness up. For that reason, strong recommendation is hardly appropriate to be delivered.

The follow-up process is monitored with TeamCentral feature of Teammate application. In the

application, the auditor will write down the recommendation and the needed follow-up process that

must be followed up within the specified time. Auditee will report the result of follow-up process

accompanied with supporting evidence through this application. If the auditor accepted the report as

the right follow-up process then the follow-up process is considered successful.


The existence of IT governance assistance is highly appreciated by the auditee. The auditor

does not approach the auditee as the supervisor but as a friend and consultant to achieve the better IT

governance. With those kinds of approaches (soft recommendation and assistance) IT audit got

favourable response from the institutions in the MoF. It safe to say that gentle way to approach the

auditee is needed in the early stage of IT governance audit.

Quality assurance is performed for IT governance audit through peer review and tiered

supervision. Teammate, working paper application used by Inspectorate General of MoF, assists the

auditors to get the tiered supervision start form the audit team leader, technical supervisor, quality

supervisor, and inspector. Asked about the problem and obstacles faced by the organization to

perform IT governance audit practice, the auditors express some opinions:

1. Lack of concern about IT governance.

Not every institution is concerned about IT governance. While a lot of organization pay

attention about their IT governance, some argued that it is less urgent.

2. Lack of audit tenure

IT governance audit is usually given strained tenure approximately a month. Based on the

interview result with the auditors, this tenure is too short to get the understanding about IT

governance state of an institution. It also happened because the difficulty to arrange the interview

schedule with the related personnel of IT unit of the auditee.

4.3. Possible Improvement of IT Governance Audit by IT Audit Unit of MoF

Though focus group discussion, the auditors discussed about their obstacles and solutions of

their current IT governance audit practice. Based on the aforementioned FGD, the improvement

required to make the IT governance audit practice better are listed below:

1. The even competencies of IT auditors

Every area of IT governance domain has limited auditor which is be in charge of. It makes the

organization depended on certain auditors. For example, deliver and support area is only

mastered by one or two auditor(s). How well the organization will run if this auditor decided to

resign someday?


2. The need of regeneration

In Inspectorate General, every personnel will be moved to another division after 4-5 years.

Meanwhile the Head of IT Audit Unit suggested to the organization’s Human Resource

Development Division that IT auditor should be given a longer period to stay at IT Audit Unit,

the unit need to regenerate their auditors.

3. The need of costumized audit guidelines for each institution.

With the unique characteristic of each institution, costumized audit guidelines of each

institution is something the IT Audit Unit should afford in the near future.

4. IT Audit Unit needs to speak up at strategic meeting such as board meeting of KPTIK to

discuss about IT governance.

Information Technology has become more and more important but a lot of

institutions haven’t realized that. Through board meeting of KPTIK, IT Audit Unit could

deliver the message about the importance of IT governance and urgency of having the

well-governed IT. That meeting is attended by the IT executives within MoF so it is

considered as the suitable place to campaign the importance of IT governance for each

institution and for MoF.

5. Legalize the Regulation of Minister of Finance about IT governance standard for MoF

Due to non-existence of mandated regulation about IT governance, IT auditors could

not force the auditee to comply all the recommendation given by them. That regulation is

something they need to make the IT audit more powerful. IT auditors expected that the

regulation will be settled in the near future.


5. Conclusion, Implication and Limitation

5.1.Conclusion

MoF’s IT governance audit practice has implemented COBIT 4.1 framework and IT Assurance

Guide: Using COBIT. Despite being on its early stage, IT governance audit is well-performed enough.

The audit planning and executing processes are in accordance to IT Assurance Guide: Using COBIT

meanwhile the scoping process still needs some improvement.

5.2. Limitation of Research

Future research could have a deeper exploration about IT governance audit implementation in

the public sector organization.

5.3. Suggestion

a. Ministry of Finance needs to perform audit scoping process

b. Another public sector organization should build IT audit unit within them

REFERENCES

Abu Musa, A. A. (2007): “Exploring Information Technology Governance (ITG) in Developing Countries: An

Empirical Study”, The International Journal of Digital Accounting Research 7: 71- 117.

Africa, D. 2009. Auditing IT Governance Seminar.ISACA Manila Professional Development Center. Manila:

ISACA Manila Chapter.

Al-Hayale, T.,& Abu Khadra, H. 2006. Evaluation of The Effectiveness of Control Systems in The

Computerized Accounting Information Systems: An Empirical Research Applied on Jordanian

Banking Sector. Journal of Accounting. Business,and Management 13: 39-68.

Amali, Lanto Ningrayati., M. Mahmuddin, and Mazida Ahmad. 2015. Towards Good Monitoring IT

Governance in Public Sector Organizations. ARPN Journal of Engineering and Applied Sciences 10:

1203-1209. Becker, Saul., Alan Bryman, and Joe Sempik. 2006. “Defining ‘Quality’ in Social Policy Research: Views,

perceptions and a framework for discussion, Social Policy Association”. Lavenham: Suffolk.

Bermejo, P.H.S., Tonelli, A.O. Zambalde, and A.L. 2014. Developing IT Governance in Brazilian Public

Organizations. Int. Bus. Res 7(3): 101-114.

Crawford, Adam. 2006. Networked Governance and the Post-Regulatory State? Steering, Rowing and

Anchoring the Provision of Policing And Security. Theoritical Criminology 10(4): 449-479.

DiCicco, Barbara, and Crabtree, Benjamin F. 2006.“The Qualitative Research Interview”. Medical Education

40: 314-321.

Gheorghe, M. 2010. Audit Methodology for IT Governance. Informatica Economica 1: 32-42.

Grembergen, De Haes, and Guldentops. 2004. Structures, Processes and Relational Mechanisms for IT

Governance. London: Idea Group Inc. Guldentops, E. 2003. Governing Information Technology Through COBIT. In W. Van Grembergen (Ed.),

Strategies For Information Technology Governance. Hershey, PA: Idea Group Publishing.

ITGI. 2003. “IT Governance Institute, Board Briefing on IT governance. 2nd Edition”. http://www.itgi.org

ITGI. 2007. “COBIT 4.1 Framework, Control Objectives, Management Guidelines, Maturity Value”.

http://www.itgi.org

ITGI. 2007. “IT Assurance Guide: Using COBIT”. http://www.itgi.org

ISACA (Information System Audit and Control Association). 2009. Implementing and Continually Improving

IT Governance. Rolling Meadows, IL: Information Systems Audit and Control Association.

http://www.itgi.org/


J. A. Hall. 2011. Information Technology Auditing and Assurance. Third Edition. South-Western: Cengage

Learning.

Juiz, C., C. Guerrero, and I Lera. 2014. Implementing Good Governance Principles for the Public Sector in

Information Technology Governance Frameworks. Open Journal of Accounting 3: 9-27.

Khaddash, H. A., R. A. Nawas, and A. Ramadan. 2013. ” Factors Affecting The Quality of Auditing: The Case of Jordanian Commercial Banks”. International Journal of Business and Social Science 4 (11): 206-

222.

Kemenkeu. rkakldipa.depkeu.go.id

Kemenkeu. 2015. “BPKP: MoF’s Government Internal Supervisory Apparatus Could Be Role Model”.

http://www.kemenkeu.go.id/en/Berita/bpkp-mof%E2%80%99s-government-internal-supervisory-

apparatus-could-be-role-model

Kemenkeu. 2015. “MoF Achieves E-Government Award Winner”. http://kemenkeu.go.id/en/Berita/mof-

achieves-e-government-award-winner

LM, Applegate., Austin RD, and McFarlan FW. 2003. Corporate Information Strategy and Management: Text

and Cases.6th Ed. New York: McGraw-Hill.

Mahzan, Nurmazillah and Farida Veerankutty. 2011. IT auditing activities of public sector auditors in Malaysia.

African Journal of Business Management 5(5): 1551-1563. Nkwe, Nugi. 2011. State of Information Technology Auditing in Botswana. Asian Journal of Finance &

Accounting 3: 125-136.

Omari, Loai Al: Paul Barnes: and Grant Pitman. 2013. Delphy Study into the Audit Challenges of IT

Governance in the Australian Public Sector. Electronic Journal of Computer Science and Information

Technology 4(1): 5.

Parent, M. and B.H. Reich. 2009. Governing Information Technology Risk. California Management Review 51:

3

Sethibe, T., J. Campbell, and C. McDonald. 2007. “IT Governance in Public and Private Sector Organisations:

Examining the Differences and Defining Future Research Directions”. 18th Australian Conference on

Information Systems: 833-843.

Spremic, Mario., Marijana Ivanov. and Bozidar Jakovic. 2012. IT Governance and Information System Auditing Practice in Credit Institutions in The Republic of Croatia. International Journal of Applied

Mathematics and Informatics 6: 101-108.

Steuperaert, Dirk. 2008. IT Governance Global Status Report 2008: An Excerpt. http:www.isaca.org

Tempo. 2015. “Cyber Crime, Lebih dari Rp 33 M Melayang Gara-gara Hacker”.

http://m.tempo.co/read/news/2015/08/26/172695105/cyber-crime-lebih-dari-rp-33-m-melayang-gara-

gara-hacker

Van Grembergen, W. and S. DeHaes.2008. Enterprise Governance of IT. Belgium: Idea Group Publishing

Antwerp University.

Weber, R. 1988. EDP Auditing: Conceptual Foundations and Practice. 2nd Edition. New York: McGraw Hill.

Weill, P and J.W. Ross. 2004. IT Governance: How Top Performers Manage IT Decision Rights for Superior

Performance. USA: Harvard Business School Press.

Weill, P. 2004. Don’t Just Lead, Govern: How Top Performing Firms Govern IT, MIT Sloan School of

Management, Center for Information Systems Research, Working Paper No. 341

Williams, P. 2006. A helping Hand with IT Governance. Computer Weekly, Sep. 19:26 - 27. Wijsman, Thomas., Paul Neelissen, and Chris Wauters. 2013. “IT Governance in The Public Sector: ‘top-

priority’”. http://www.intosaiitaudit.org/muscat/Netherlands-IT_governance.pdf

Zwyalif, M. A.. 2013. “IT Governance and its Impact on the Usefulness of Accounting Information Reported in

Financial Statements”. International Journal of Business and Social Science 4 (2): 83-94.

The Implementation of Information Technology Governance ...

Documents

Transcript of The Implementation of Information Technology Governance ...